The document summarizes a presentation on detecting hardware Trojans using clock sweeping. It introduces the clock sweeping technique, which involves applying test patterns at different clock frequencies to obtain path delay information without additional hardware. Signatures are generated from the path delay data and compared to identify potential Trojans. The technique aims to detect Trojans through their impact on circuit delays, especially shorter paths. It is shown to be effective for critical and non-critical paths, and can detect Trojans without full activation. However, process variations and measurement noise still pose challenges.

1. Detection of Hardware Trojans using Clock Sweeping
Presented by
Ashish Maurya
(2015vlsi-13)
ABV-Indian Institute of Information Technology and Management Gwalior,
Morena Link Road, Gwalior, Madhya Pradesh, INDIA - 474015.
January 21, 2016
Presented by Ashish Maurya(2015vlsi-13) ABV-IIITM January 21, 2016 1 / 20

2. Contents
1 Introduction
2 Trojan Detection using side channel analysis
3 Conclusion
4 References
Presented by Ashish Maurya(2015vlsi-13) ABV-IIITM January 21, 2016 2 / 20

3. Introduction
Trojan detection is extremely difficult due to process and environmental variations.
Use of detector networks for side channel analysis require more hardware.
Even this also gives adversary the opportunity to embed functionality not stated in
the specifications.
The circuit containing large no. of paths require more detectors in the network.
Presented by Ashish Maurya(2015vlsi-13) ABV-IIITM January 21, 2016 3 / 20

4. Introduction(contd.)
Figure: Detector Network
Presented by Ashish Maurya(2015vlsi-13) ABV-IIITM January 21, 2016 4 / 20

5. Introduction(contd.)
Trojans behavior is unknown, so it would be challenging to devise a Trojan detection
technique that can target all types of Trojans.
Trojan detection approaches can be divided into two categories:
-Full Trojan activation methods and
-Side-channel analysis methods.
Full Trojan activation methods tries to activate Trojans by applying test vectors and
comparing the responses with the correct results.
Some Trojans may transmit information with an antenna, or modify the specification
instead of changing the function of the original circuit.
Full Trojan activation methods may fail to detect these kinds of Trojans.
Presented by Ashish Maurya(2015vlsi-13) ABV-IIITM January 21, 2016 5 / 20

6. Trojan Detection using side channel analysis
Detection using Clock Sweeping Technique
Source: A Clock Sweeping Technique for Detecting Hardware Trojans Impacting
Circuits Delay, Kan Xiao ; ECE Dept., Univ. of Connecticut, Storrs, CT, USA ;
Xuehui Zhang ; Tehranipoor, M. IEEE Design and Test 2013
Presented by Ashish Maurya(2015vlsi-13) ABV-IIITM January 21, 2016 6 / 20

7. Detection using Clock Sweeping Technique
Compared to other side-channel signal techniques, a delay-based technique has a
unique benefit because it does not need to activate the Trojan either partially or
fully.
Each path delay is relatively independent, so one path is less affected by other paths
of the chip.
A Trojan can potentially contribute more to a path delay change than total circuit
power.
Existing delay based Trojan detection methods face the following challenges:
1) Maximum detection coverage of Trojans,
2) The measurement of paths delay at a low cost.
Presented by Ashish Maurya(2015vlsi-13) ABV-IIITM January 21, 2016 7 / 20

8. Clock Sweeping
Clock sweeping technique is used to obtain path delay information without any
additional hardware.
In clock sweeping technique path delay fault (PDF) patterns are used to obtain high
coverage on the nodes of critical and noncritical paths.
Once the data has been collected by clock sweeping, we generate a series of delay
signatures for ICs, and then analyze whether ICs contain Trojans or not.
Presented by Ashish Maurya(2015vlsi-13) ABV-IIITM January 21, 2016 8 / 20

9. Clock Sweeping(contd.)
Paths delay that increased by Trojans is measured by slack in clock sweeping
technique.
A clock sweeping technique is developed to target shorter paths affected by Trojans
without any design or silicon overhead.
Clock sweeping involves applying a pattern at different clock frequencies, from a
lower speed to higher speeds, which is a common practice in industry used for speed
binning of parts.
Presented by Ashish Maurya(2015vlsi-13) ABV-IIITM January 21, 2016 9 / 20

10. Clock sweeping Example
Figure: Example Circuit
Sensitizing six paths in this circuit by test patterns.
Presented by Ashish Maurya(2015vlsi-13) ABV-IIITM January 21, 2016 10 / 20

11. Clock sweeping Example(contd.)
Figure: Clock sweeping
Presented by Ashish Maurya(2015vlsi-13) ABV-IIITM January 21, 2016 11 / 20

12. Signature generation procedure using clock sweeping.
Figure: Signature generation flow
Presented by Ashish Maurya(2015vlsi-13) ABV-IIITM January 21, 2016 12 / 20

13. Trojan impact on path delay
Adversaries will try to maintain the original design layout and insert Trojans into
unused spaces of the layout to keep the Trojan hidden.
From this ,
- Considering nodes (outputs of gates) in the genuine IC instead of the paths for the
analysis.
- These nodes might be affected by either a trigger or a payload from a Trojan.
Considering three types of Trojans depending on how they are activated and their
action to the functional circuit:
-Trojans with only payloads (TP),
-Trojans with only triggers (TT),
-Trojans with triggers and payloads both (TTP)
Presented by Ashish Maurya(2015vlsi-13) ABV-IIITM January 21, 2016 13 / 20

14. Process
For any Trojan trying to change the function of design, a payload gate has to be
inserted at a node.
Figure: Example of TP
The sensitized path in the genuine design (the bold line) is passing through node B.
Inserted two payload gates at two positions. One is physically very close to the node
(short l1 and l2) and the other is remote from the node (longer l1 and l2).
Presented by Ashish Maurya(2015vlsi-13) ABV-IIITM January 21, 2016 14 / 20

15. Process(contd.)
Figure: A paths delay without and with TP with short and long l1 and l2
The additional delay consists of the propagation delay of the payload and the delay
from the two wires capacitances (l1 and l2).
Delay of path going through node B is measured.
The results show that a TP has increased the path delay significantly, more so for
Trojans with long interconnections.
Presented by Ashish Maurya(2015vlsi-13) ABV-IIITM January 21, 2016 15 / 20

16. Process(contd.)
Figure: Example of TT
For analysis Trojan gate is placed one by one at four different locations, with one
input connecting to the node D on the sensitized path.
The first location is very close to node D, with locations 2, 3, and 4 being
successively further away from node D.
Presented by Ashish Maurya(2015vlsi-13) ABV-IIITM January 21, 2016 16 / 20

17. Process(contd.)
Figure: A path delay without and with TT at four different locations
The delay of sensitized path is measured with and without Trojans for the different
locations.
The results show that the path delay is increasing as we move closer to Trojan.
Presented by Ashish Maurya(2015vlsi-13) ABV-IIITM January 21, 2016 17 / 20

18. Conclusion
Effective for both critical and non-critical paths.
One major advantage of side channel analysis is the Trojans can be detected without
being fully triggered.
Signature is needed in this technique, that means we need a trojan-free IC.
One of the critical issues regarding the side channel analysis method is the effect of
process variation is solved by this technique.
But still some other critical issues like environmental variation and measurement
noise are not solved.
Presented by Ashish Maurya(2015vlsi-13) ABV-IIITM January 21, 2016 18 / 20

19. References
Y. Cao, C.-H. Chang, and S. Chen, “A cluster-based distributed active current
sensing circuit for hardware trojan detection,” Information Forensics and Security,
IEEE Transactions on, vol. 9, no. 12, pp. 2220–2231, Dec 2014.
T. Hoque, M. Mustapa, F. Amsaad, and M. Niamat, “Assessment of nand based
ring oscillator for hardware trojan detection,” in Circuits and Systems (MWSCAS),
2015 IEEE 58th International Midwest Symposium on, Aug 2015, pp. 1–4.
A. Ferraiuolo, X. Zhang, and M. Tehranipoor, “Experimental analysis of a ring
oscillator network for hardware trojan detection in a 90nm asic,” in Computer-Aided
Design (ICCAD), 2012 IEEE/ACM International Conference on, Nov 2012, pp.
37–42.
S. K. Haider, C. Jin, M. Ahmad, D. M. Shila, O. Khan, and M. van Dijk, “Hatch: A
formal framework of hardware trojan design and detection,” Cryptology ePrint
Archive, Report 2014/943, 2014, http://eprint.iacr.org/.
Presented by Ashish Maurya(2015vlsi-13) ABV-IIITM January 21, 2016 19 / 20

20. Thank You
Presented by Ashish Maurya(2015vlsi-13) ABV-IIITM January 21, 2016 20 / 20